Skip to Content

Switching the authentication mechanism after installation

You can switch to a different authentication mechanism for TrueSight Network Automation after installation by rerunning the installation program.

Before you begin

Before you run the installation program again, set the SKIP_DB_UPGRADE property to true in the BcanInstalledConfiguration.xml file in the BCAN_HOME directory.

To switch the authentication mechanism

Run the installation program and select the required authentication mechanism. For more information, see Performing-the-installation.

After you install

Set the SKIP_DB_UPGRADE property to false in the BcanInstalledConfiguration.xml file in the BCAN_HOME directory. 







Enabling the Active Directory authentication mechanism after installation

This topic describes the prerequisites and the procedure to configure TrueSight Network Automation to enable Active Directory (AD) authentication without rerunning the installation program.

Before you begin

Ensure that you have met the following prerequisites:

  • AD server is named appropriately.
  • LDAP uses an available port.
  • Create a user in Network Automation with the administrator role with the same name as an AD domain user. This account acts as the Network Automation administrator because the default system administrator account, sysadmin cannot log on after Network Automation is configured for AD authentication.
  • Network Automation system administrator account is created in the OU “Service Accounts” in the root of the LDAP directory because Network Automation searches for user accounts recursively. In this case, it searches recursively from the root of AD.
  • All existing Network Automation user accounts in AD are recreated to continue using them. They will retain their existing rights and roles within Network Automation.
Error
Warning

The changes made in the global.properties and the server.xml files in the following procedure are not carried forward and would therefore need to be redone after an upgrade.

However, the older files are saved in the BCAN_DATA\_upgrade folder and can be referenced after the upgrade.

To enable AD authentication

  1. Stop the Network Automation server.

  2. Open the global.properties file with a text editor located in the BCAN_DATA directory and change the authentication mechanism to activeDirectory as shown in the following code snippet:

    # Indicates the type of authentication being used.
    # Default is local authentication where username and password information
    # reside in the TrueSight Network Automation database. Others are remote authenticators
    # configured as a Realm in the server.xml file.
    # Allowed options: local/activeDirectory/ldap/radius/tacacs
    # Default = local

     userAuthMode=activeDirectory
  3. Invoke the Network Automation maintenance utility from the BCAN_HOME\utility directory, by using the following command:
    • (Windows) BcanMaintenanceTool.bat
    • (Linux) ./BcanMaintenanceTool.sh
  4. Encrypt the AD root user password as shown in the following figure:
    MaintenanceTool.png
  5. Navigate to the BCAN_HOME\tomcat\conf directory and open the Tomcat server configuration file (server.xml) file with a text editor.

  6. Search the file for a section similar to the following one and comment the section, which represents the local authentication.

    <Realm className="com.bmc.bcan.catalina.realm.BNAJDBCRealm"
           driverName="org.postgresql.Driver"
           connectionURL="${bna.jdbcRealm.connectionURL}"
           connectionName="${bna.jdbcRealm.connectionUsername}"
           connectionPassword="${bna.jdbcRealm.connectionPassword}"
           userTable="usr"
           userNameCol="user_name"
           userCredCol="encrypted_password"
           userRoleTable="usr"
           roleNameCol="realm_role_name">
       <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler"
    algorithm="SHA-256" />
               </Realm>

  7. Below the commented section, add the following section to enable the active directory authentication:

    <Realm className="com.bmc.bcan.catalina.realm.BNAJNDIRealm"
           connectionURL="${bna.jndiRealm.connectionURL}"
           alternateURL="${bna.jndiRealm.alternateURL}"
           connectionName="${bna.jndiRealm.principal},${bna.jndiRealm.baseDN}"
           connectionPassword="${bna.jndiRealm.connectionPassword}"
           userBase="${bna.jndiRealm.userBase}${bna.jndiRealm.baseDN}"
           userSearch="${bna.jndiRealm.userSearch}"
           userSubtree="${bna.jndiRealm.userSubtree}"
           referrals="${bna.jndiRealm.referrals}"/>
     </Realm>

    For a sample server.xml file, see the Sample server.xml file section.

  8. Save the file.

  9. In the BCAN_HOME\tomcat\conf directory, open the catalina.properties file with a text editor and populate the following parameters with the details of your AD server: 

    • bna.jndiRealm.connectionURL
    • bna.jndiRealm.alternateURL
    • bna.jndiRealm.principal
    • bna.jndiRealm.baseDN
    • bna.jndiRealm.connectionPassword
    • bna.jndiRealm.userSearch
    • bna.jndiRealm.userBase
    • bna.jndiRealm.userSubtree
    • bna.jndiRealm.referrals

    For a sample catalina.properties file, see the Sample catalina.properties file section.

  10. Save the file.
  11. Restart the TrueSight Network Automation server.
  12. Log on with the AD domain user that you have already created (see Before you begin).
  13. Do one of the following:
    • Enable the Automatically Add New Users As system parameter.
      If this parameter is enabled, when a user logs on to TrueSight Network Automation, the user account is automatically created in TrueSight Network Automation with the selected role.
    • Add users manually in TrueSight Network Automation. 
    • Use the ldap_import_users script to import users from AD into TrueSight Network Automation.  For more information about the script, see Tools-and-scripts.

Sample server.xml file

The following code snippet shows a sample server.xml file with the active directory authentication:

<?xml version='1.0' encoding='utf-8'?>
<!--
   ============================================================
   This file is not maintained between TrueSight Network Automation
   upgrades, however the values of most of the variables are
   maintained in catalina.properties which is maintained
   across upgrades.

   Do not update this file; all changes should be made
   within catalina.properties.
   ============================================================
-->


<Server port="-1">    <!-- shutdown port is disabled -->
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
  -->

  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  -->

  <Service name="Catalina">
    <!-- Note that a non-default threadPriority can be specified in connectors. Bumping up thread
         priority on Windows (e.g. to 10) is recommended if your UI performance degrades considerably
         when jobs are running in the background. On Linux threadPriority doesn't seem to be very
         effective (see comments on bna.connector.threadPriority in catalina.properties). -->

    <!-- Redirects HTTP traffic to HTTPS -->
    <Connector port="${bna.connector.port}"
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="${bna.connector.maxThreads}"
               threadPriority="${bna.connector.threadPriority}"
               connectionTimeout="${bna.connector.connectionTimeout}"
               redirectPort="${bna.connector.sslPort}"
               URIEncoding="UTF-8"/>

    <!-- Handles HTTPS traffic -->
    <Connector port="${bna.connector.sslPort}"
   compression="on"
   useSendfile="false"
               protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true"
               maxThreads="${bna.connector.maxThreads}"
               threadPriority="${bna.connector.threadPriority}"
               scheme="https"
               secure="true"
               server="TrueSight Network Automation Server"
               clientAuth="false"
               sslEnabledProtocols="${bna.connector.sslEnabledProtocols}"
               maxHttpHeaderSize="${bna.connector.maxHttpHeaderSize}"
               connectionTimeout="${bna.connector.connectionTimeout}"
               maxParameterCount="${bna.connector.maxParameterCount}"
               disableUploadTimeout="true"
               keystorePass="${bna.connector.keystorePass}"
               ciphers="${bna.connector.ciphers}"
               URIEncoding="UTF-8"/>

    <!-- with compression="on", the default compressibleMimeType is
"text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml"
    -->

    <Engine name="Catalina" defaultHost="localhost">

      <!-- BEGIN: BCA-Networks realm configured by InstallShield -->
      <Realm className="com.bmc.bcan.catalina.realm.BNALockOutRealm"
             failureCount="${bna.lockOutRealm.failureCount}"
             lockOutTime="${bna.lockOutRealm.lockOutTime}"
             cacheSize="${bna.lockOutRealm.cacheSize}"
             cacheRemovalWarningTime="${bna.lockOutRealm.cacheRemovalWarningTime}">
        <!-- <Realm className="com.bmc.bcan.catalina.realm.BNAJDBCRealm"
               driverName="org.postgresql.Driver"
               connectionURL="${bna.jdbcRealm.connectionURL}"
               connectionName="${bna.jdbcRealm.connectionUsername}"
               connectionPassword="${bna.jdbcRealm.connectionPassword}"
               userTable="usr"
               userNameCol="user_name"
               userCredCol="encrypted_password"
               userRoleTable="usr"
               roleNameCol="realm_role_name">
   <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler"
   algorithm="SHA-256" />
               </Realm> -->
<Realm className="com.bmc.bcan.catalina.realm.BNAJNDIRealm"
               connectionURL="${bna.jndiRealm.connectionURL}"
               alternateURL="${bna.jndiRealm.alternateURL}"
               connectionName="${bna.jndiRealm.principal},${bna.jndiRealm.baseDN}"
               connectionPassword="${bna.jndiRealm.connectionPassword}"
               userBase="${bna.jndiRealm.userBase}${bna.jndiRealm.baseDN}"
               userSearch="${bna.jndiRealm.userSearch}"
               userSubtree="${bna.jndiRealm.userSubtree}"
               referrals="${bna.jndiRealm.referrals}"/>

      </Realm>

      <!-- END: BCA-Networks realm configured by InstallShield -->

      <!-- The request dumper valve dumps useful debugging information about
           the request and response data received and sent by Tomcat.
           Documentation at: /docs/config/valve.html -->
      <!--
      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
      -->

      <Host name="localhost" appBase="webapps"
            unpackWARs="true" autoDeploy="false">

        <!-- Uncomment to enable the Access Log -->
        <!--
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" />
        -->

      </Host>
    </Engine>
  </Service>
</Server>

Sample catalina.properties file

The following code snippet shows a sample catalina.properties file with the active directory authentication:

#######################################################################
# TrueSight Network Automation
# Configuration settings for the tomcat server.xml configuraiton
# file.  These settings will be maintained between TrueSight Network Automation upgrades.  For
# more information on any of these settings, visit the tomcat
# documentation.
#######################################################################

#
# Priority of connection threads (values range from 1 (lowest) to 10
# (highest). Running with a priority value of 10 is not advised, as this
# may be cause critical OS processes to starve. For thread priorities to be
# honored on Linux, one must pass "-XX:ThreadPriorityPolicy=1" to the JVM, when
# Tomcat is running as a root process.
#
# Running with a value of 9 here is recommended on Linux, in order to make the
# UI as responsive as possible when there are jobs running in the background.
# On Windows, a value of 9 does not lead to the same improvements in UI
# responsiveness for some reason, so a value of 5 is recommended on Windows.
#
# Default=9
#
bna.connector.threadPriority=5
#
# This is the number of failed authentication attempts allowed before user gets locked.
# Default=5
#
bna.lockOutRealm.failureCount=5
#
# The time period in second for which the locked out user will remain locked unless
# administrator unlocks in the meantime. After elapsing this time the user will
# automatically gets unlocked.
# Default=86400 (24 hours)
#
bna.lockOutRealm.lockOutTime=86400
#
# Number of users that have failed authentication to keep in cache.
# Default=1000
#
bna.lockOutRealm.cacheSize=1000
#
# If a failed user is removed from the cache because the cache is too big before
# it has been in the cache for at least this period of time (in seconds) a
# warning message will be logged.
# Default=3600 (1 hour)
#
bna.lockOutRealm.cacheRemovalWarningTime=3600
#
# JDBC realm database connection URL
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionURL=
#
# JDBC realm database connection user name
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionUsername=
#
# JDBC realm database connection password (encrypted)
# Used only for local authentication mode
# Default=(blank)
#
bna.jdbcRealm.connectionPassword=
#
# JNDI realm connection URL
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.connectionURL=ldap://ab.Testlab.local:389
#
# JNDI realm alternate/secondary connection URL
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.alternateURL=
#
# JNDI realm username (principal) to use when establishing a connection to
# the directory for search operations, for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.principal=cn=Administrator,ou=Service Accounts
#
# JNDI realm base directory name, for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.baseDN=ou=Service Accounts,dc=lab,dc=local,dc=com
#
# JNDI realm connection password (encrypted), for non-anonymous bind
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.connectionPassword=5cc91dgf58d57996a8fd9e65cb6d76c40
#
# JNDI realm pattern for searching user names
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userSearch=(sAMAccountName={0})
#
# JNDI realm directory element (not including the Base DN) in which user
# accounts are defined. If present, must end in a comma, since it will
# be prepended to the baseDN value.
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userBase=ou=Service Accounts,
#
# JNDI realm pattern for field containing subtree search
# Used only for LDAP or AD authentication mode
# Default=(blank)
#
bna.jndiRealm.userSubtree=true
#
# JNDI realm indicator for action to take on referrals
# Used only for LDAP or AD authentication mode
# Default=follow
#
bna.jndiRealm.referrals=follow

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

TrueSight Network Automation 25.1